NEONCRUSH is 100% FREE — forever 💜 Donate to help us grow
NEONCRUSH
Sign In
Security & Safety Report

How NEONCRUSH protects you

Active protections live in production. Scope: account safety, data privacy, payments, content moderation, and community tools.

1. Identity & Authentication

  • Sign-in methods: Email + password, and Google OAuth (one-tap).
  • Session security: Industry-standard JWT tokens delivered over HTTPS only. Tokens auto-refresh and expire on inactivity.
  • Password handling: Passwords are never stored in plain text — they're salted and hashed by the auth provider. The app itself never sees raw passwords.
  • Anonymous sign-ups: Disabled. Every account is tied to a verified email or Google identity.
  • Build-before-signup flow: Users can sculpt an avatar as a guest. The draft is held in their own browser's sessionStorage only — it never touches our servers until they sign up and explicitly save.

2. Database Privacy — Row-Level Security (RLS)

Every sensitive table in the database is locked down at the Postgres level with RLS policies. Even if app code had a bug, the database itself refuses to return data the user isn't allowed to see.

Protected tables include:

  • direct_messages — only sender and recipient can read
  • user_wallets — only the wallet owner can read their coin balance
  • user_inventory — items owned are private to the owner
  • crushes, couples, matches — only the people involved
  • cart_items, apartment_rentals, walk_thru_requests — owner-scoped
  • user_blocks — only the blocker can see who they've blocked
  • reports — only moderators and the reporter can read

Roles are stored in a separate user_roles table with a SECURITY DEFINER has_role() function — preventing the classic privilege-escalation bug of storing roles on the profile.

3. Content Moderation (AI-Powered)

Every piece of user-generated text is screened by an AI moderator before it's saved to the database, with a server-side trigger as a second line of defense.

Moderated surfaces:

  • Direct messages
  • Posts and lifestyle feed entries
  • Profile bios and avatar names
  • Voice intro text

Blocked categories:

  • Harassment, bullying, threats
  • Hate speech and slurs
  • Sexual harassment
  • Underage content (zero tolerance)
  • Impersonation and spam
  • Dox / personal info leakage

If content is flagged, the user gets an instant toast explaining the reason — the message is never persisted.

4. Payments — Stripe Integration

Coin purchases run through Stripe. We never see or store credit card numbers.

Cryptographic safeguards:

  • The Stripe webhook verifies every event signature using STRIPE_WEBHOOK_SECRET before crediting any coins.
  • Idempotency: each Stripe event ID is recorded in processed_stripe_events so a replay attack can't double-credit a wallet.
  • Coin grants happen via a SECURITY DEFINER SQL function — the webhook can credit, but no client can.

What this means: No one can spoof a fake purchase to inflate their wallet. Coins only come from a verified Stripe payment, a daily login claim, or a gift from another verified user.

5. Community Safety Tools

ToolWhereWhat it does
BlockProfile menu, DM headerInstant, silent. Blocks DMs, crushes, and visibility both ways. The blocked user is never notified.
ReportProfile menu, DM headerSends a confidential report to moderation with reason + context.
Safety TipsOnboarding & profilePlain-English reminders about consent, privacy, and scams.
Bot labelsEvery AI personaBots are clearly marked — they flirt, but can't meet IRL.
Walk-Thru toggleProfileUsers opt in to receive in-person tour requests; off by default.

6. Community Guidelines (Zero-Tolerance List)

These behaviors lead to immediate avatar removal or permanent suspension:

  • Harassment, bullying, or threats of any kind
  • Slurs or hate speech (race, gender, orientation, disability, religion)
  • Sexual harassment or non-consensual sexual content
  • Body-shaming or demeaning behavior
  • Impersonating another person or brand
  • Soliciting minors or pretending to be a minor
  • Sharing another user's personal info ("doxxing")
  • Coercion — pressuring anyone for contact, photos, money, or coins
  • Scams (off-platform payment requests, fake giveaways)
  • Repeated unwanted contact after being told to stop

7. Your Personal Safety Checklist

  • Never share real-life contact info, passwords, or payment details inside DMs.
  • Block first, ask later — if someone makes you uncomfortable, block them. No explanation required.
  • Report screenshots aren't required — moderation can pull the original messages from logs.
  • Coins are virtual. Anyone asking you to send them outside the app or trade for real money is scamming you.
  • Bots are labeled. AI personas can flirt, but they can't meet you in real life.
  • Trust the toast. If a message gets blocked by moderation, that's a signal — not a glitch.

8. What Happens When You Report

  1. Your report goes straight to the moderation team — confidentially.
  2. We review the avatar, the behavior, and any past reports.
  3. Outcomes scale with severity: warning → avatar removal → permanent suspension.
  4. Repeat or severe violations get zero second chances.

9. Infrastructure Hardening

  • HTTPS everywhere — all traffic is TLS-encrypted.
  • No secrets in client code — API keys for Stripe, AI moderation, etc. live only in server-side secrets storage.
  • Edge functions verify JWTs by default; public webhooks verify provider signatures instead.
  • Rate limiting & abuse guards on DMs, crush sends, and report filings to prevent spam and griefing.
  • Audit trail — coin transfers, reports, and moderation actions are all logged with timestamps.

Bottom line

NEONCRUSH is built so you can be bold without being burned. The tech does the quiet work; you focus on the scene. 💜

Community Guidelines Manage blocked users Back to the scene